|
One of my coworkers thought that password salting was doing things like p4$$w0rD 5@L+inG
|
#
?
Jan 13, 2019 05:02
|
|
|
|
| # ? May 19, 2024 17:51 |
|
|
Raere posted:Say you're designing an authentication backend (I'm not) and are storing passwords as salted hashes. Where do you store the salts, if properly designed? if not using a library that automatically embeds the salt with the hash, you put it alongside the hash value -- salts to do not need to be secret.
|
|
#
?
Jan 13, 2019 06:05
|
|
|
Captain Foo posted:One of my coworkers thought that password salting was doing things like p4$$w0rD 5@L+inG If I ever caught a coworker not using a salt and hash with bcrypt I would be so loving upset. Every modern language has a canned library to do that in usually one or two lines.
|
|
#
?
Jan 13, 2019 07:24
|
|
|
Captain Foo posted:One of my coworkers thought that password salting was doing things like p4$$w0rD 5@L+inG mmm, that's s4lty
|
|
#
?
Jan 13, 2019 08:18
|
|
|
jit bull transpile posted:I don't think you trust At least make it a haiku. I don't think you trust My self-signed certificate The key looks nice though
|
|
#
?
Jan 13, 2019 09:23
|
|
|
Carbon dioxide posted:At least make it a haiku. begone non metal likers
|
|
#
?
Jan 13, 2019 09:30
|
|
|
https://youtu.be/2NawGCUOYT4
|
|
#
?
Jan 13, 2019 10:35
|
|
|
ratbert90 posted:If I ever caught a coworker not using a salt and hash with bcrypt I would be so loving upset. Every modern language has a canned library to do that in usually one or two lines. like, how would you even do that lmao
|
|
#
?
Jan 13, 2019 13:02
|
|
|
ratbert90 posted:If I ever caught a coworker not using a salt and hash with bcrypt I would be so loving upset. Every modern language has a canned library to do that in usually one or two lines. He wasn't rolling his own or anything, just misinformed on technical details
|
|
#
?
Jan 13, 2019 13:33
|
|
|
Carbon dioxide posted:At least make it a haiku. ban
|
|
#
?
Jan 13, 2019 13:33
|
|
|
Captain Foo posted:He wasn't rolling his own or anything, just misinformed on technical details That means he can't be arsed to Google for 10 seconds. Guillotine Cocoa Crispies posted:like, how would you even do that lmao How would you even do what? Salt, hash and crypt a password in 2 lines?
|
|
#
?
Jan 13, 2019 18:24
|
|
|
Carbon dioxide posted:At least make it a haiku. Haikus have to be about the seasons. 
|
|
#
?
Jan 13, 2019 18:25
|
|
|
ratbert90 posted:Haikus have to be about the seasons. three winters from now fallen leaves under snow and your cert expires
|
|
#
?
Jan 13, 2019 18:30
|
|
|
haveblue posted:
Beautiful!
|
|
#
?
Jan 13, 2019 18:31
|
|
|
haveblue posted:
|
|
#
?
Jan 13, 2019 18:57
|
|
|
ratbert90 posted:How would you even do what? Salt, hash and crypt a password in 2 lines? I can’t be arsed to google for 10 seconds, but none of the bcrypt libraries I’ve used have documented functions to do anything beyond “turn password into digest” or “tell if password matches digest”
|
|
#
?
Jan 13, 2019 23:51
|
|
|
Cocoa Crispies posted:I can’t be arsed to google for 10 seconds, but none of the bcrypt libraries I’ve used have documented functions to do anything beyond “turn password into digest” or “tell if password matches digest” i did google for 10 seconds and i believe this is because bcrypt embeds the salt in the digest/hash, and if you want them separately then you have to do some extra motions
|
|
#
?
Jan 14, 2019 02:31
|
|
|
this is a known thing. many antivirus and "security" tools basically take the approach of "well this code might be bad, so we're gonna load up our own custom VM-esque environment in order to step through it and figure out if it's actually bad". but then oh boy hmm suddenly the same attacks that work against the real system work against the fake sandbox one too????? uh oh
|
|
#
?
Jan 14, 2019 02:44
|
|
|
language bcrypt library storepass language bcrypt library checkpass Suddenly I'm a developer I can write down about a
|
|
#
?
Jan 14, 2019 03:54
|
|
|
Penisface posted:i did google for 10 seconds and i believe this is because bcrypt embeds the salt in the digest/hash, and if you want them separately then you have to do some extra motions if you want them separately for literally any reason you are doing it wrong and should be ashamed
|
|
#
?
Jan 14, 2019 07:25
|
|
|
CRIP EATIN BREAD posted:this is true. i have to connect to a lot of sites that follow a chain to root certs that aren't provided by default by any browser or OS. for whatever reason they like their own. Potato Salad posted:I can write down about a
|
|
#
?
Jan 14, 2019 07:41
|
|
|
Shame Boy posted:if you want them separately for literally any reason you are doing it wrong and should be ashamed well, it's a valid question, i wondered the same thing years ago. i also thought that the salt should be kept secret and was  ing my rear end off. "but if the password hashes leak, how do i keep the salts from leaking  "
|
|
#
?
Jan 14, 2019 09:46
|
|
|
yeah, if you have somewhere very secure to hide the salt, perhaps as well to hide the hash there too
|
|
#
?
Jan 14, 2019 11:43
|
|
|
Potato Salad posted:language bcrypt library storepass This is literally all devs should have access to or they will gently caress it up incredibly.
|
|
#
?
Jan 14, 2019 11:50
|
|
|
ErIog posted:This is literally all devs should have access to or they will gently caress it up incredibly. shouldn't there be the bit where you configure the passes and define the salt as well?
|
|
#
?
Jan 14, 2019 12:11
|
|
|
Penisface posted:shouldn't there be the bit where you configure the passes and define the salt as well? There should never be a bit where you define the salt - if you're storing a new password, it generates it randomly; if you're checking an existing password, the salt is stored in the hash string that you're checking against. Configuring parameters like number of passes is part of storing a new password as well (the parameters chosen get stored in the hash string too), but really the library should just have sane defaults.
|
|
#
?
Jan 14, 2019 12:31
|
|
|
Cybernetic Vermin posted:yeah, if you have somewhere very secure to hide the salt, perhaps as well to hide the hash there too sure, but the security of bcrypt and similar hashes comes from them being intentionally resource intensive, and afaik the only thing that the salt adds is that when the attacker manages to crack one password, they can't immediately see what other users have the same password and instead have to brute force the hashes individually.
|
|
#
?
Jan 14, 2019 12:55
|
|
|
also, so they cannot look up your passwords in a rainbow table because adding salt would be prohibitively expensive on a thing that's already fairly expensive.
|
|
#
?
Jan 14, 2019 13:12
|
|
|
ErIog posted:This is literally all devs should have access to or they will gently caress it up incredibly. Post/av combo
|
|
#
?
Jan 14, 2019 13:41
|
|
|
Truga posted:also, so they cannot look up your passwords in a rainbow table because adding salt would be prohibitively expensive on a thing that's already fairly expensive.
|
|
#
?
Jan 14, 2019 16:20
|
|
|
https://www.google.com/search?client=firefox-b-ab&q=29f33cab54c2a8858885b95d8fbb7ff1  obviously md5 shouldn't be used any longer, but that's the idea.
|
|
#
?
Jan 14, 2019 16:31
|
|
|
geonetix posted:because, did you expect anything else? *fat person steps in view of the ring doorbell* VEHICLE DETECTED
|
|
#
?
Jan 14, 2019 19:43
|
|
|
I’m still wondering if amazon plans to buy nextdoor and packaged it with their ring doorbell poo poo cause if you looked at the posts on nextdoor you’d think they’ve already partnered with them
|
|
#
?
Jan 14, 2019 19:46
|
|
|
This might be a fun list to keep tabs on: http://www.firemountain.net/mailman/listinfo/dumpsterfire
|
|
#
?
Jan 14, 2019 20:58
|
|
|
https://www.derbycon.com/blog/derbycon-9-0-every-beginning-has-an-end/quote:2019 will be our last year of DerbyCon. Please know that this decision was not done in haste, and it was one of the most difficult decisions we have ever had to make in our lives. We looked at hiring third-party crisis management companies to deal with people directly, we looked at having entire companies run the conference where we would become more of the direction and vision, but at the end of the day, that is not why we started DerbyCon. It’s taken a personal toll on our lives, our businesses, and our friends, and it has gotten to the point where we don’t want to manage it anymore. https://twitter.com/deborahlindseyl/status/1048401891913334785 also lol https://twitter.com/BLMGTN_FOOLS/status/1049176573860036608
|
|
#
?
Jan 14, 2019 21:19
|
|
|
Optimus_Rhyme posted:https://www.derbycon.com/blog/derbycon-9-0-every-beginning-has-an-end/ quote:This year, we had to handle issues that honestly, as an adult, we would never expect to have to handle from other adults. Conferences in general have shifted focus to not upsetting individuals and having to police people’s beliefs, politics, and feelings. Instead of coming to a conference to learn and share, it’s about how loud of a message a person can make about a specific topic, regardless of who they tear down or attempt to destroy. To put it in perspective, we had to deal with an individual that was verbally and mentally abusive to a number of our volunteer staff and security to the point where they were in tears. what's the story here? i ignore con drama
|
|
#
?
Jan 14, 2019 21:33
|
|
|
Optimus_Rhyme posted:https://www.derbycon.com/blog/derbycon-9-0-every-beginning-has-an-end/ I wish I could have been there to unleash all of my unprofessional and undiplomatic fury on whoever wrote that while they were writing it.
|
|
#
?
Jan 14, 2019 21:46
|
|
|
Lain Iwakura posted:what's the story here? i ignore con drama a manchild did a meetoo + breasts joke on a board this kills the con
|
|
#
?
Jan 14, 2019 21:49
|
|
|
So colour me ignorant, but why wasn't that person just kicked out and everyone else could have just moved on?
|
|
#
?
Jan 14, 2019 21:54
|
|
|
|
| # ? May 19, 2024 17:51 |
|
|
Boiled Water posted:a manchild did a meetoo + breasts joke on a board It was more than that as Lain Iwakura already quoted above.
|
|
#
?
Jan 14, 2019 21:55
|
|